Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Facebook Delegated Recovery Protocol Offers New Password Reset Option

New open-source effort debuts to help improve the state of secure account recovery across internet services, starting with GitHub.

When a user loses access to an online account, a common feature in many sites is a password reset feature via email. While an email based account password reset can work for users, it's not a particularly secure approach. Facebook wants to help improve the state of account recovery with a new open-source Delegated Recovery protocol.

The Delegated Recovery protocol is currently available as an open-source project on the GitHub code repository. Facebook has also chosen to first enable Delegated Recovery to work with GitHub accounts.

"Delegated-account-recovery is a protocol that allows an application to delegate the capability to recover an account (e.g. in the event of a credential loss or compromise) to an account controlled by the same user at a third party service provider," the GitHub project page states.

The new Delegated Recovery protocol should not be confused with Facebook Connect, which is a single sign-on approach that uses the OAuth protocol. With Facebook Connect, sites enable users to log on with a Facebook account.

Further reading

"There are some conceptual similarities between OAuth other federated identity systems and this protocol, but there are important differences too," Facebook Security Engineer Brad Hill told eWEEK.

Hill explained that in an OAuth authentication flow, a site asks for permission to learn something about the user's account at the identity provider, like their name, email address, or public profile information. In contrast, the Delegated Recovery protocol doesn’t share that kind of information, in either direction.

The way Delegated Recovery works is with an authentication token that is securely stored by Facebook and connected to a user's account.

"Each site will generate its own recovery token for each specific account and ask the account holder to save it at Facebook," Hill said. "Later, if the person forgets their password, he or she can ask Facebook to send that recovery token back to the site it came from."

On GitHub, which is the first site to use Delegated Recovery, if a user attempts to do an account recovery, GitHub will send the user to the relevant page on Facebook directly. Alternatively the user can access their saved tokens in the security settings page on Facebook.

"You'll be asked to re-authenticate to Facebook to use a token for recovery and afterwards be sent back to GitHub to complete the process of regaining access to your account," Hill said.

While GitHub is the first site on which account recovery works, it's likely not going to be the only one.

"We will be working to bring more services on-board so that people will have more choices of what accounts to use for secure recovery, and can use it in more places," Hill said. "Releasing open-source reference code will be part of supporting that effort."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.